Google listened to the criticism and stopped promoting the Web Environment Integrity API, removed its experimental implementation from the Chromium codebase and moved the specification repository into archive mode. At the same time, experiments continue on the Android platform with the implementation of a similar API for verifying the userβs environment - WebView Media Integrity, which is positioned as an extension based on Google Mobile Services (GMS). It is stated that the WebView Media Integrity API will be limited to the WebView component and applications related to the processing of multimedia content, for example, it can be used in mobile applications based on WebView for streaming audio and video. There are no plans to provide access to this API through a browser.
The Web Environment Integrity API was designed to provide site owners with the ability to ensure that the customer's environment is trustworthy in terms of protecting user data, respecting intellectual property, and interacting with a real person. It was thought that the new API could be useful in areas where a site needs to ensure that there is a real person and a real device on the other side, and that the browser is not modified or infected with malware. The API is based on Play Integrity technology, already used in the Android platform to verify that the request is made from an unmodified application installed from the Google Play catalog and running on a genuine Android device.
As for the Web Environment Integrity API, it could be used to filter out traffic from bots when displaying advertising; combating automatically sent spam and boosting ratings on social networks; identifying manipulations when viewing copyrighted content; combating cheaters and fake clients in online games; identifying the creation of fictitious accounts by bots; countering password guessing attacks; protection against phishing, implemented using malware that broadcasts output to real sites.
To confirm the browser environment in which the loaded JavaScript code is executed, the Web Environment Integrity API proposed using a special token issued by a third-party authenticator (attester), which in turn could be linked by a chain of trust with integrity control mechanisms in the platform (for example, Google Play) . The token was generated by sending a request to a third-party certification server, which, after performing certain checks, confirmed that the browser environment was not modified. For authentication, EME (Encrypted Media Extensions) extensions were used, similar to those used in DRM to decode copyrighted media content. In theory, EME is vendor-neutral, but in practice three proprietary implementations have become common: Google Widevine (used in Chrome, Android, and Firefox), Microsoft PlayReady (used in Microsoft Edge and Windows), and Apple FairPlay (used in Safari and Products Apple).
The attempt to implement the API in question has led to concerns that it could undermine the open nature of the Web and lead to increased dependence of users on individual vendors, as well as significantly limit the ability to use alternative browsers and complicate the promotion of new browsers to the market. As a result, users could become dependent on verified officially released browsers, without which they would lose the ability to work with some large websites and services.
Source: opennet.ru